There is an old saying that goes “Trouble always comes in threes”. This saying has certainly proved true in the virus world for 2004.
The triple attack of the Bagle, Netsky and MyDoom families of worms, have dominated the inboxes of the unsuspecting throughout the year, each vying for the “top” spot month by month.
Not every variant of the worms has been widely distributed; in fact, there have been other worms that have far outstripped any individual of those families. For instance, W32/Zafi.b was far and away the most prolific individual worm – most prevalent in June – knocking the Netsky.P worm off the “most detected virus in the world” spot and indeed, it’s still very common. But combined, the Bagle, Netsky and MyDoom families have made up an overwhelming percentage of this year’s worms.
Earlier last year there seemed to be a “war” going on between the authors of these worms, each trying to outdo each other, and including hidden messages to each other in the code of their creations. This (often unfriendly) rivalry drove the number of variants up very rapidly.
The three families continue to evolve, currently Bagle has around one-hundred variants (some companies put this figure higher and some lower) there are around fifty Mydoom worms and about sixty Netsky variants. Netsky though has far and away the most detections, with five variants in the “top ten” most detected worms in the past year. (Source Virus-Radar http://www.virus-radar.com)
It wasn’t me, honest!
It’s very probable that the authors of the current worms are not the ones who originally wrote them. An early version of Bagle contained the unencrypted source code for the worm, the Doomjuice worm contained the source code for the MyDoom worm, and the Netsky code was released in March 2004.
The act of releasing the source code is probably to help plausible deniability – if caught by law enforcement; the writer can claim that the virus put the code there or that they downloaded it from the internet but didn’t write it. Of course, it’s also a way to increase the “fame” of the virus, as although writers usually claim they release the code for “educational” purposes, most of them know that others will create new versions of their viruses, and distribute them. This also adds to the defense, as they can claim that they never intended it to be released as a virus.
Distributing the source code didn’t help the alleged author of the early Netsky worms being arrested by the German police several weeks later. Strangely, he was later offered a job in a security software company, though why anyone would think that a virus writer would know anything about security is as yet unexplained, and apart from the publicity gained, the risk to any company employing a virus-writer has to be significant, but that’s a different story.
The clone wars
The easy availability of source code meant that anyone could create their own variant versions of these worms, without having to have the skills to create them from nothing.
This has certainly contributed to the large number of variants that continue to be released. Many of these are simply clones of variants, compressed with a runtime-packer. If the versions compressed by runtime packers are included as variants (runtime packers allow executables to be compressed and still run as normal) then there would be over one hundred variants of W32/Netsky.P alone.
The problem with runtime-packers is that there are many of them, each working slightly differently, and each alters (usually by compression or encryption) the code of the executable, so that anti-virus products often need to be updated for each. Some anti-virus companies have been very successful at detecting these new variants without updates, particularly those using heuristic techniques (heuristics is a predictive detection method that uses advanced algorithms to detect new viruses), but many products still require updating for each new variant.
The sheer volume of these worms in circulation significantly increases the risk of receiving them in email, and there are still an astonishing number of PC’s out there without updated anti-virus, whose click happy users daily fall prey to these worms.
Attack of the Cyber Zombies
Many of the later variants of these worms try to download something from a website after infection, often a backdoor Trojan, to allow the creator access to the infected machine.
There has been some speculation that this is being done to deliberately create huge networks of compromised machines that can be used to send spam or perform denial of service attacks.
Such “zombie” networks are a valuable resource to the cyber criminal, and access to these networks is being sold to Spammers to allow them to distribute their mail-runs through compromised machines, helping them to avoid detection, and reducing their costs. Certainly there seem to be commercial incentives to exploit malware techniques for gain, as professional spammers look for new ways to reduce their costs and increase their output, and networks of compromised home PC’s with broadband connections are a tempting resource.
Predicting the future
One thing that has been made obvious by the proliferation of these and other worms, and the speed with which they spread and infect machines, is that the traditional anti-virus scanner, based only on signature updates, will eventually become extinct. The future requires more robust detection and only products offering strong heuristic detection – to catch new variants without the need for updates – in combination with signature based scanning will be truly effective.